Description
FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.
Published: 2026-03-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL injection in the Logfiles module may allow privileged users to read or modify database entries, potentially leading to data exposure, unauthorized configuration changes, or further system compromise.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the FreePBX Logfiles module, where untrusted input is incorporated into SQL queries without proper sanitization. The flaw permits authenticated users to inject arbitrary SQL commands, enabling the disclosure of sensitive data or modification of database records. Depending on the database and user privileges, an attacker could alter configuration settings, gain elevated privileges, or facilitate further compromise.

Affected Systems

FreePBX, an open‑source IP PBX platform managed by Sangoma, is affected. The flaw is present in releases prior to version 16.0.10 and 17.0.5, including all earlier 16.0.x and 17.0.x builds. The vulnerable component is the Logfiles module, which is part of the core FreePBX distribution.

Risk and Exploitability

The CVSS score of 8.6 classifies this as a high‑severity issue. The EPSS score of less than 1% indicates a low probability that the vulnerability is actively exploited in the wild, likely due to its requirement for authenticated access. The flaw does not appear in the CISA Known Exploited Vulnerabilities list. Attackers would need valid credentials and access to the Logfiles module to exploit the injection; thus insider or compromised administrator accounts pose the primary threat vector.

Generated by OpenCVE AI on April 16, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreePBX to version 16.0.10 or later, or 17.0.5 or later.
  • If an immediate update is not possible, restrict access to the Logfiles module to a minimal set of trusted users and monitor for suspicious activity.
  • Apply strong authentication and least‑privilege rules across the system to limit the impact of compromised credentials.

Generated by OpenCVE AI on April 16, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sangoma
Sangoma freepbx
CPEs cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
Vendors & Products Sangoma
Sangoma freepbx
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Freepbx
Freepbx security-reporting
Vendors & Products Freepbx
Freepbx security-reporting

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5.
Title FreePBX: Authenticated SQL Injection Vulnerabilities in FreePBX Logfiles Module
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freepbx Security-reporting
Sangoma Freepbx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-07T04:55:27.537Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28284

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:34.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:14.867

Modified: 2026-03-06T18:32:58.330

Link: CVE-2026-28284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses